Evil QR – A New QR Jacking Attack that Enables Attacker to Take Over User Accounts

Evil QR – A New QR Jacking Attack that Enables Attacker to Take Over User Accounts

Evil QR is a spin-off of a QR Jacking attack, the latest phishing attempt by threat actors to gain access to the victim’s machine.

QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. 

Read moreBuilding cyber skills and roles from CyBOK foundations

The latest article on breakdev demonstrates how attackers could take over accounts by convincing users to scan supplied QR codes, through phishing.

How the Attack Works:

In recent years, most websites have allowed users to log in by scanning QR codes using mobile phones.

Read moreAccessibility as a cyber security priority

Attackers took advantage of this process and sent spam emails containing Spoofed QR codes from the original website to compromise the victims.

In this article, the author explained how phishing is sent through the Evil QR toolkit utilizing the Discord page.

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

The attacker opens the official Discord login page within their web browser to generate the sign-in QR code.

Using the Evil QR browser extension, the attacker is able to extract the sign-in QR code from the login page and upload it to the Evil QR server, where the phishing page is hosted.

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

The phishing page, hosted by the attacker, dynamically displays the most recent sign-in QR code controlled by the attacker.

Once the victim successfully scans the QR code, the attacker takes control of the compromised account

Read moreS3 Ep135: Sysadmin by day, extortionist by night

The Evil QR attack can be customized using personalized phishing pre-text, with dynamic updates, for every website separately. 

Evil QR browser extensions can detect and extract QR codes, within websites, no matter how they are rendered.

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

The extension supports extracting QR codes rendered as CANVAS, IMG, SVG, or even DIV (by taking a screenshot with the html2canvas library).

Evil QR server

The server is developed in GO and its main purpose is to expose REST API for the browser extension and run an HTTP server to host the phishing page.

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

It waits for  authenticated communication from the browser extension, including a QR code image with metadata in JSON format on /qrcode/[qr_uuid] endpoint:

{
    “id”: “11111111-1111-1111-1111-111111111111”,
    “source”: “data:image/png;base64,iVBORw0K…”,
    “host”: “discord.com”
}

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

The retrieved QR code is then stored and is available for retrieval by the JavaScript running on the phishing page.

The phishing page uses HTTP Long Polling to be able to retrieve QR code updates with minimal delays without having to use WebSockets.

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

The phishing page automatically detects which hostname the QR code was retrieved from and can dynamically adjust its CSS and text content to change the phishing pre-text for social engineering purposes.

To phish the target, the attacker uses the Evil QR Browser extension on the web application sign-in page. 

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

It will automatically find the QR code image and detect if it changes. Once it changes, it will upload the updated image to the Evil QR server.

One of the most important characteristics of session tokens, represented by sign-in QR codes, is that the tokens are short-lived by design. 

Read more6 Ways to Mitigate Risk While Expanding Access

Every token is made to expire approximately after 30 seconds, which drastically shortens the time frame of the token’s validity.

Once the token expires, the website regenerates it and updates the displayed QR code on the sign-in page.

Read moreHypervisors and Ransomware: Defending Attractive Targets

If sign-in session tokens did not expire, attackers might print QR codes on paper and mail them to potential victims.

After a period of inactivity, some websites cease updating QR codes to save bandwidth. They normally offer a “Retry” option, which the extension can automatically click on to continue updating QR codes.

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

The extension can also detect the presence of a specific DOM object, which will show up only when the attacker is signed in after the phishing attempt is successful. 

It will then send an update to the Evil QR server with the authorized: “true” parameter, allowing the phishing page to decide on how to proceed.

Read moreEducating Your Board of Directors on Cybersecurity

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

The post Evil QR – A New QR Jacking Attack that Enables Attacker to Take Over User Accounts appeared first on Cyber Security News.

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

   Read More 

Cyber Security News 

Related Posts

Trickbot malware developer jailed for five years

Trickbot malware developer jailed for five years

[[{“value”:”A 40-year-old Russian man has been sentenced to five years and four months in prison by a US court, for his involvement in the Trickbot gang that deployed ransomware and stole money and sensitive information from businesses around the world.

Read more in my article on the Hot for Security blog.”}]]   Read More 

Graham Cluley